1. Technical Field
The invention relates to the field of network security. In particular, the invention relates to a method, a server infrastructure and a network system enabling secure user authentication using a network client having access via a card reader to a smart card.
2. Description of the Prior Art
In recent years, an increasing number of novel applications like secure payment services and secure authentication services have become card-based. Today, there is a migration from cards using magnetic stripes to smart card technology, also known as integrated circuit (IC) or chip card technology. For example, nearly half of all bank cards currently circulating in Europe are already chip based and the percentage of chip based bank cards is steadily increasing.
The industry is taking advantage of the additional security offered by smart cards in ensuring a compatible secure infrastructure available for home devices. By using smart cards within the home environment, secure payment and authentication services can be offered to consumers, boosting remote services like e-commerce. Along with the field of e-commerce also additional domains like home-banking, security services and also e-government require the use of a secure and trustworthy smart card infrastructure.
Such a smart card infrastructure necessarily comprises a secure smart card reader like the card reader specified in the workshop agreement CWA 14174 of the European Committee for Standardization (CEN). A main target of this FINREAD (FINancial transactional IC card READer) initiative is to specify a smart card reader that provides security to many different types of applications. Consequently, the FINREAD card reader does not only support smart cards issued by banks but also smart cards issued for non-financial applications.
In view of the fact that a personal computer acts as a target for virus and Trojan horse attacks, the FINREAD card reader provides an additional level of security to make the personal computer or another consumer access device part of a secure and trusted environment. All processing within a specific scheme, that is related to a trusted handling, will only be processed through the FINREAD card reader. This ensures that any necessary information can authentically be acknowledged by the consumer.
Authentication of the FINREAD card reader is specified in chapter 10 of the CEN workshop agreement “Financial transactional IC card reader (FINREAD)—part 2: Functional requirements” (Ref. No. CWA 14174-2:2001 E) of July 2001. The main target of the FINREAD card reader authentication function is to allow a service provider like a financial institution or payments scheme to authenticate the origin of data sent by a FINREAD card reader. This function protects against a fake card reader sending data as a FINREAD unit and also against denying that an authenticated message was sent with a FINREAD card reader. The FINREAD card reader authentication function is based on a unique identification number possessed by every FINREAD card reader in addition to the capability of signing with a unique private key. The private key is stored in a tamper resistant security module of the FINREAD card reader that keeps all confidential information in a secure environment.
According to “Financial transactional IC card reader (FINREAD)—part 3: Security requirements” (Ref. No. CWA 14174-3:2001 E) of July 2001, chapter 6.3, FINREAD card reader authentication is cryptographically linked to a specific transaction and, if the authentication functionality is needed, it is activated during the transaction. During FINREAD card reader authentication, a digital signature with the card reader's private key is calculated. More specifically, data to be signed are provided to the security module of the FINREAD card reader for signature calculation with the private key. To have a consistent authentication function, the unique identification number is also included in the data signed.
Besides the unique private key mentioned above a corresponding public key is stored in the FINREAD card reader. The public key is recorded as a certificate which has previously been signed by a private key of a vendor. In order to perform card reader certificate verification, application providers using FINREAD card reader authentication will thus have to obtain the vendor public key.
Departing from applications like e-commerce, e-banking or e-government requiring the use of a secure and trustworthy smart card reader like the FINREAD card reader or any other card reader associated with an authentication key of its own, there is a need for a secure user authentication procedure. More specifically, there is a need for a method, a computer program product, a server infrastructure and a network system for performing user authentication on a higher security level using such a card reader in conjunction with a corresponding smart card.